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Abstract.  We  introduce  the  concept  of  a  group  principal  and  present 
a  number  of  different  classes  of  group  principals,  including  threshold- 
group-principals.  These  appear  to  naturally  useful  concepts  for  looking  at 
security.  We  provide  an  associated  epistemic.  language  and  logic  and  use 
it  to  reason  about  anonymity  protocols  and  anonymity  services,  where 
protection  properties  are  formulated  from  the  intruder’s  knowledge  of 
group  principals.  Using  our  language,  we  give  an  epistemic  characteriza¬ 
tion  of  anonymity  properties.  We  also  present  a  specification  of  a  simple 
anonymizing  system  using  our  theory. 


1  Introduction 

Though  principals  are  typically  viewed  as  atomic,  there  is  no  reason  we  cannot 
consider  the  knowledge  and  actions  taken  by  a  group.  Hence,  the  basic  notion 
of  a  group  principal.  This  notion  appears  to  be  a  useful  concept  for  reasoning 
about  various  properties  of  electronic  commerce  and  security  protocols.  One  such 
principal  is  a  threshold-group-principal.  Such  a  principal  allows  us  to  express 
properties  of  threshold  cryptosystems  [13].  Although  we  do  not  pursue  this  in 
the  present  paper,  we  believe  we  can  give  a  straightforward  characterization  not 
only  of  threshold  cryptography  including  signatures  and  confidentiality,  but  also 
(once  time  is  introduced  into  our  language)  such  things  as  proactive  security  [5] 
and  mobile  adversaries  [19].  Another  group  principal  is  the  or-group  principal. 
It  is  useful  for  characterising  security  properties  relating  to  anonymity. 

We  demonstrate  the  applicability  of  our  theory  by  examining  the  issue  of 
anonymity  and  privacy.  Studies  have  shown  that  privacy  is  a  great  concern  for 
users  of  electronic  commerce.  Numerous  protocols  have  emerged  for  protecting 
the  anonymity  of  individuals.  These  protocols  have  been  in  the  areas  of  pro¬ 
tecting  general  Internet  communications  [23] ,  commercial  transactions  [25] ,  web 
based  communications  [21,1],  email  [9,18],  and  electronic  cash  [28].  However, 
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little  work  has  been  done  on  formally  representing  or  analyzing  privacy  in  such 
protocols. 

In  this  paper,  we  provide  an  epistemic  language  and  logic  and  use  it  to 
reason  about  anonymity  protocols  and  anonymity  services.  We  also  describe 
an  associated  model  of  computation.  Using  our  language,  we  give  an  epistemic 
characterization  of  various  anonymity  properties.  As  far  as  we  know,  these  basic 
properties  have  not  been  set  out  previously. 

We  develop  the  idea  of  looking  at  the  environment  as  not  a  single  entity 
for  which  all  messages  must  pass,  but  one  with  individual  components  with 
different  characteristics.  In  our  model,  the  environment  principal  is  no  different 
from  system  principals.  When  you  send  a  message  you  send  it  to  an  environment 
principal,  likewise  for  receiving  messages.  All  uncertainty  in  communication  is 
represented  in  the  environment  principals;  so,  any  sent  message  is  immediately 
received,  and  all  received  messages  have  been  sent  by  some  principal.  In  this 
way,  we  are  able  specify  environments  particular  to  the  threat  model  at  hand. 

We  demonstrate  our  approach  with  a  simple  example.  Typically,  we  have  a 
single  intruder  which  is  a  distributed  group  principal,  composed  of  environment 
and/or  (compromised)  system  principals.  Each  principal  is  specified  by  a  knowl¬ 
edge  program.  Compromised  principals  run  distinct  programs  from  their  reliable 
counterparts.  It  is  also  possible  to  have  multiple  intruders,  each  with  their  own 
separate  goals,  though  we  do  not  present  any  examples  of  this  in  this  paper. 

This  paper  does  not  address  temporal  features  directly,  other  than  to  differen¬ 
tiate  past  and  present  (much  as  in  [2]).  Thus  any  timing  attack  on  an  anonymity 
system  is  beyond  its  scope.  Temporal  reasoning  is  expected  to  be  added  in  fu¬ 
ture  work,  and  there  is  no  reason  to  expect  difficulty  in  doing  so.  Indeed,  the 
knowledge  programs  set  out  in  this  paper  are  derived  from  the  knowledge-based 
programs  of  [11, 12],  and  those  include  temporal  operators  by  default. 

The  seminal  work  setting  out  properties,  goals,  and  mechanisms  for  anonymity 
in  communication  is  that  of  Chaum  (cf.,  e.g.,  [6,  7]).  Our  work  is  the  first  we  are 
aware  to  give  an  epistemic  characterization  of  anonymity  properties.  However, 
anonymity  properties  have  been  formally  defined  in  CSP  [22],  And,  in  [20]  a 
formal  notation  was  given  for  specifying  anonymity  protocols;  however,  that  no¬ 
tation  was  not  designed  to  specify  anonymity  properties  or  to  be  used  in  formal 
analysis.  Also,  others  have  defined  interesting  rigorous  but  informal  notions  of 
security  properties  [21], 

The  remainder  of  this  paper  is  as  follows.  In  Section  2  we  present  our  model 
including  the  definitions  of  various  types  of  group  principals.  In  Section  3  we 
present  the  formal  language.  In  Section  4  we  present  the  logic.  In  Section  5  we 
present  anonymity  properties.  In  Section  6  we  present  our  knowledge  programs. 
In  Section  7  we  present  a  specification  of  the  anonymizer  protocol.  In  Section  8 
we  present  our  conclusions. 
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2  Model 

Our  system  model  is  essentially  built  from  and  extends  model  elements  described 
in  [11]  and  elsewhere.  We  give  a  sketch  of  our  model  here. 

2.1  Atomic  Principals 

There  is  a  set  of  atomic  principals  {Pi, . . .  ,Pn}.  These  are  similar  to  the  ‘ordi¬ 
nary’  principals  that  one  associates  with  distributed  computing.  However,  unlike 
others,  we  do  not  distinguish  the  environment  in  the  model.  Also,  unlike  others, 
the  environment  may  be  several  (possibly  disconnected)  principals.  Environment 
principals  are  made  up  of  these  atomic  principals,  just  as  system  principals  are. 

2.2  Actions 

Each  principal  can  perform  any  one  of  a  set  of  actions  at  each  time.  The  ac¬ 
tions  that  can  be  performed  are  send(M,  P^Pj),  receive (M,  Pj,Pi),  representing 
the  sending  of  a  message  M  E  M  (the  set  of  messages)  from  P,  to  Pj  and  its 
receipt  by  Pj  from  Pj  respectively.  Principals  may  also  perform  internal  op¬ 
erations,  int-action({Mi, . . .  ,Mn},Pi).  This  represents  principal  Pi  performing 
some  internal  operation  on  the  messages  in  the  set  {Mi, . . .  ,M„j,  for  example 
encryption,  concatenation,  decryption,  etc.  Principals  may  also  do  nothing  at 
a  given  time.  This  is  indicated  by  the  performance  of  the  null  action  A.  Two 
particular  internal  actions,  record  and  purge ,  will  be  discussed  presently.  We  fol¬ 
low  the  example  of  [10]  and  subsequent  work,  that  all  messages  are  sent  to  the 
environment  or  received  from  the  environment.  We  can  thus  make  the  simpli¬ 
fying  assumption  that  all  sent  messages  are  received  immediately.  Any  message 
loss,  delay,  modification,  etc.  can  be  represented  by  the  actions  of  the  environ¬ 
ment.  So,  exactly  one  of  P,  and  Pj  in  any  send(M,Pi,  Pj)  or  receive(M,  Pj ,  Pj) 
is  always  an  environmental  principal. 

2.3  States 

Each  principal  has  a  local  state.  Local  states  are  assumed  to  be  unique;  although 
principals  may  not  always  be  able  to  distinguish  all  of  even  their  own  local  states. 
A  state  Si  local  to  principal  Pi  at  time  t  is  given  by 

Si  =  {state-id ,  history ,  log ,  facts ,  recent) 

The  history,  is  the  sequence  of  actions  that  have  been  performed  locally.  The 
log,  is  the  sequence  of  local  actions  that  have  been  logged.  Similar  to  the  local 
history,  the  local  log  is  complete  in  having  an  entry  for  each  time.  But,  since  the 
log  reflects  the  local  time,  entries  are  recorded  as  ( a,t )  where  t  =  localtime  (H) 
is  the  time  on  the  local  clock  when  t'  is  the  actual  time,  and  t'  is  the  actual 
time  that  a  occurred.  We  assume  that  the  real  clock  is  fine  enough  to  reflect 
the  occurrence  of  all  events  in  the  system.  Thus,  an  advance  of  the  real  clock 
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need  not  imply  an  advance  on  all  local  clocks,  but  an  advance  on  any  local  clock 
implies  an  advance  on  the  real  clock.  Since  principals  may  or  may  not  keep  track 
of  local  actions,  and  may  even  ‘forget’  them,  the  log  may  contain  a  null-log-entry 
-L  for  any  time  t.  This  is  not  the  same  as  a  null-action  A,  which  may  occur  in  both 
the  local  history  and  the  local  log  and  indicates  that  no  action  was  performed 
at  that  time.  We  also  keep  track  of  any  facts  that  may  be  known  by  a  principal, 
such  as  the  public  key  of  a  local  server.  These  are  collected  in  a  set  facts.  In  a 
principal’s  initial  state  all  of  the  fields  except  state  Jd  and  facts  should  be  empty 
sequences. 

We  keep  track  of  actions  and  of  facts  by  means  of  a  record  action,  record  is 
defined  on  recent  U  knowledge.  (The  constitution  of  both  recent  and  knowledge 
will  be  set  out  below.):  For  an  action  a  G  recent,  record  (a )  has  the  effect  of 
placing  (a,  localtime (t a)))  in  the  local  log.  For  a  known  formula  p,  record(p) 
has  the  effect  of  placing  p  in  the  set  of  facts  facts .  We  also  allow  sets  of  recent 
actions  and  sets  of  known  formulae  in  the  domain  of  record.  The  way  that  record 
works  for  these  sets  should  be  obvious  from  the  case  for  individual  actions  and 
known  formulae,  purge  is  similarly  defined  on  entries  in  log  and  facts  in  facts, 
purge  ( { {a  q ,  t;i ),...,  (o,:m ,  t,m ) })  has  the  effect  of  removing  those  log  entries  from 
the  log  and  replacing  them  with  _L.  purge{{p i, . . . ,  pm})  has  the  effect  of  remov¬ 
ing  those  formulae  from  the  set  of  recorded  facts.  The  recent  actions  recent , 
are  actions  that  were  effectively  performed  recently  and  are  remembered  even 
though  they  have  not  been  logged,  recent  is  always  a  tail  segment  of  history  and 
never  includes  record  or  purge  actions. 

We  will  introduce  composite  (group)  principals  presently.  Nonetheless,  each 
global  state  is  completely  determined  by  a  tuple  of  the  local  states  of  all  atomic 
principals.  A  run  is  a  sequence  of  global  states  indexed  by  (actual)  times,  where 
the  any  local  state  occurring  in  the  global  state  at  time  t  is  such  that  the  relevant 
principal  is  in  that  local  state  at  (actual  time)  t. 


2.4  Knowledge 


In  a  given  local  state,  knowledge  is  entirely  determined  by  the  log,  the  set  of  facts, 
and  the  recent  actions.  We  include  in  the  set  of  formulae,  knowledge,  the  clo¬ 
sure  of  what  is  known  from  those  three  sources.  More  precisely  we  have:  (1)  If  an 
action  is  known  to  a  principal  because  it  is  in  the  log  or  is  recent,  then  the  princi¬ 
pal  knows  that  he  performed  that  action.  So,  for  example,  if  receive(M,  Pi,Pj )  G 
recent  or  if  receive(M ,  Pi,  Pj )  G  log  then  M  received  from  Pj  Pj  G  knowledge. 
(2)  If  p  G  facts,  then  p  G  knowledge.  (3)  If  p>  can  be  derived  from  other  members 
of  knowledge  by  the  axioms,  then  p  G  knowledge.  That  P  knows  p  is  represented 
in  our  language  by  Up  p.  The  dual  of  Dp  is  Op  .  (There  are  certain  generic 
axioms  for  adding  to  the  knowledge  of  principals,  e.g.,  (Dp  p  A  Dp  (p  D 
i/>))  D  Up  if.  So,  if  p,  (p  D  ip)  G  knowledge,  then  if  G  knowledge.  Axioms  for 
knowledge  will  be  briefly  discussed  below  in  section  4.) 


817 


P.  Sy verson  and  S.  Stubblebine,  Group  Principals  and  the  Formalization  of  Anonymity,  in  FM’99  - 
Formal  Methods,  Vol.  /,  Springer-Verlag  LNCS  1708,  Sept.  1999,  pp.  314-333. 


2.5  Group  Principals 

Ordinarily,  we  think  of  principals  atomically.  In  particular,  when  evaluating  pro¬ 
tocols  in  the  Dolev-Yao  framework,  we  view  all  communication  as  going  through 
a  single  environmental  principal,  typically  identified  as  the  intruder.  For  exam¬ 
ple,  anything  sent  between  principals  A  and  B  is  assumed  to  be  known  to  the 
intruder  as  is  anything  sent  between  principals  C  and  D.  However,  the  intruder 
between  A  and  B  may  not  be  able  to  directly  communicate  with  the  intruder  be¬ 
tween  C  and  D.  They  may  only  be  able  to  communicate  via  ‘honest’  principals, 
e.g.,  one  intruder  can  signal  the  other  by  causing  an  honest  principal  between 
them  to  send  certain  messages  to  the  other.  (Cf.  [26]  for  more  discussion  of 
this  model  of  computation  in  a  hostile  environment.)  This  naturally  engenders 
a  view  of  the  environment  as  a  distributed  group  principal.  Similarly,  sets  of 
honest  principals  trying  to  solve  some  threshold  computation  (e.g.,  decryption 
or  signature)  may  be  thought  of  in  this  way.  We  will  find  it  useful  to  have  various 
types  of  group  principals  to  model  these  and  other  circumstances. 

There  are  four  kinds  of  group  principal,  collective-group  (*G),  and-group 
(&G),  or-group  (©G),  and  threshold- group (n  —  G).  Each  type  of  group  principal 
is  distinguished  by  how  the  knowledge  and  actions  of  the  principal  is  determined 
by  the  knowledge  and  actions  of  the  members  of  that  principal.  The  set  of  group 
principals  Q  is  defined  as  follows:  for  any  nonempty  set  of  atomic  principals 
G',  *G,  &G,  and  ®G  are  all  groups  (of  the  indicated  type).  And,  n  —  G  is  a 
(threshold)  group  provided  that  n  <  |G|. 

collective  group  principal:  Given  any  set  of  atomic  principals  G,  *G  is  a  dis¬ 
tributed  group  viewed  collectively.  What  the  group  knows  is  what  is  known 
by  combining  the  knowledge  of  all  the  group  members.  (This  is  the  concept 
of  distributed  knowledge  in  [11].)  The  group  actions  are  those  taken  by  the 
group  collectively.  For  example,  if  something  is  sent  or  received  by  any  mem¬ 
ber  of  the  group  then  it  is  sent  (received)  by  the  group.  However,  it  may  also 
be  the  case  that  the  group  performs  some  action,  e.g.,  elect  a  leader  and 
possible  successors,  that  is  not  performed  by  any  one  of  the  members.  In 
this  example,  each  member  might  vote  for  one  leader,  but  the  succession  is 
determined  by  the  total  number  of  votes  received,  in  diminishing  order, 
and-group  principal:  written  &G  for  an  and-group  of  members  of  G,  is  a 
distributed  group  viewed  conjunctively.  We  also  write  (Pi  A  ...  A  Pn )  for 
the  and-group  of  principals  Pi  through  Pn.  What  the  and-group  knows  is 
what  every  member  of  the  group  knows.  (This  is  the  concept  of  everyone 
knowledge  in  [11].)  The  group  actions  are  those  taken  by  each  member  of 
the  group.  Thus,  &G  said  (received)  messsage  M  if  each  member  of  G  said 
(received)  M. 

or-group  principal:  written  ©G  for  an  or-group  of  members  of  G',  is  a  dis¬ 
tributed  group  viewed  disjunctively.  We  also  write  (Pi  V  ...  V  P„)  for 
the  or-group  of  principals  Pi  through  P„ .  What  the  or-group  knows  is  what 
at  least  one  member  of  the  group  knows.  (This  does  not  have  a  correlate 
in  [11].)  The  group  actions  are  those  taken  by  at  least  one  member  of  the 
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group.  Thus,  ®G  said  (received)  messsage  M  if  at  least  one  member  of  G 
said  (received)  M. 

threshold  group  principal:  written  n  —  G  for  a  given  threshold  n  and  group 
G.  What  the  n-threshold  group  n  —  G  knows  is  anything  known  by  any 
collective  subgroup  contained  in  G  of  cardinality  at  least  n.  (This  does  not 
have  a  correlate  in  [11].)  Suppose  two  subgroups  G',G"  C  G  s.t.  \G'\  > 
n  and  \G"\  >  n.  Ordinarily,  if  UG,  p  and  IHg»  {up  D  ip),  we  cannot 
conclude  anything  more  specific  than  that  □*(g,uG")  V-  But,  if  G  is  an  n- 
threshold  group,  then  it  follows  that  □„_*}  ip.  Thus,  it  follows  that  Dg'  ip 
(and  UG,  (p  D  ip))  and  ip  (and  UG„  p).  Another  way  to  characterize  an 
n-threshold  group  is  as  an  or-group  of  collective  groups,  each  with  cardinality 
of  at  least  n.  Thus  if  G'  =  {G i, . . . ,  Gm}  is  the  set  of  all  collective  subgroups 
of  G  s.t.  |G,:|  >  n,  then 

n  —  G  =  ®G'  (which  is  {G\  V  ...  V  Gm)) 

What  the  n-threshold  group  n  —  G  does  is  what  is  done  by  any  subgroup 
contained  in  G  of  cardinality  at  least  n.  Thus,  n  —  G  said  (received)  anything 
said  (received)  by  any  subgroup  of  cardinality  at  least  n. 


3  Formal  Language 

Let  A  and  B  be  principals,  M  be  a  message,  and  p  be  a  formula.  We  assume 
without  explanation  the  usual  logical  connectives  and  formula  building  using 
them.  Any  formula  is  also  a  message,  though  not  vice  versa. 

Actions.  There  are  send  and  receive  actions.  We  can  record  and  purge  both  send 
and  receive  actions. 

send(M,  A,  B) 
recei ve(M,  B,  A) 

Also,  if  s-r-action  is  a  send  or  receive  action,  then  we  also  have  the  purging 
and  recording  of  send  and  receive  actions. 

purge) s-r-action) 
record) s-r-action) 

We  will  find  it  useful  to  have  the  following  macro  (eliminable  definition): 
action(Ah  A,  B,  remember); 

is  a  macro  for 


action(Ah  A,  B);  record(action(Ah  A,  B))  ; 
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Said  and  Received  Formula.  These  are  formulae  expressing  the  sending  and 
receiving  of  messages,  as  well  as  of  any  formulae  implicit  in  the  sending  or 
receiving  of  such  messages. 

A  said  M 
A  received  M 
A  said  to  B  M 
B  received  from  A  M 

That  a  formula  represents  the  whole  message  sent  or  received  is  denoted 
by  the  use  of  quotation  marks,  These  refer  not  to  the  bit  string,  but  to  the 
parsing  of  that  string  without  any  encryption,  decryption,  deconcatenation,  etc1. 
So,  for  example,  were  .4  to  send  the  message  {M}k  (where  .4  knew  A'),  then 
A  said  and  A  said  M  would  be  true,  but  A  said  “M”  would  not. 

Message  Extensions.  Message  fields  may  have  an  origin  and  destination.  We 
express  this  using  either  “to”  or  “from”  or  using  both  extensions. 

(X  from  A  to  B ) 

We  can  further  qualify  certain  features  of  a  message  that  are  common  to 
anonymity  protocols.  These  features  include  an  indication  of  the  ultimate  desti¬ 
nation  of  a  message  using  “for” . 

(X  for  B) 

Another  feature  common  to  anonymity  protocols  is  referencing  a  prior  mes¬ 
sage.  This  is  common  for  query-response  (request-response)  protocols. 

R  in  response  to  Q 

Encryptions  and  Key  Possession.  Messages  may  also  be  encrypted.  The  encryp¬ 
tion  of  M  with  K  and  A’s  possession  of  A'-1  are  expressed  as  follows. 

{M}k 
A  has  A'-1 

Runs  Formula.  A  principal  running  a  knowledge  program  is  expressed. 

A  runs  program_name 

Knowledge.  If  p  is  a  formula  in  the  language,  and  .4  a  principal,  we  can  ex¬ 
press  that  A  knows  ip  and  that  .4  knows  possibly  p,  by  the  following  formulae 
respectively. 

□U  ip 

Oa  P 

1  In  particular,  this  is  not  meant  to  be  an  opaque  context.  Thus,  values  may  be  sub¬ 
stituted  for  variable  names. 
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Did  Formula.  The  following  allow  us  to  express  any  action  done  by  a  principal, 
as  a  formula.  For  example,  suppose  A,  performed  some  action  action.  This 
is  expressed  by  the  following.  (It  might  be  possible  to  replace  the  following  two 
types  of  formulae  with  one  type  and  an  appropriate  temporal  operator.  However, 
we  choose  to  keep  the  number  of  modal  operator  types  that  we  use  to  a  minimum 
for  the  present.) 

A  did  (  action) 

If  the  action  is  being  done  now  (i.e,  recently  according  to  our  model),  we  can 
express  this  as: 

.4  does  (action) 


4  Logic 

We  set  out  here  our  axioms  and  rules.  Those  for  knowledge  and  propositional 
reasoning  are  standard.  For  background  consult  [11,8, 16]. 

Propositional  and  Epistemic  Logic.  Knowledge  is  characterized  by  the  S5  ax¬ 
ioms.  Our  only  rules  are  modus  ponens  and  necessitation  (knowledge  general¬ 
ization)  : 

Modus  Ponens:  From  p  and  p  D  tp  infer  tp. 

Knowledge  Generalization:  From  h  p  infer  b  Dp  p. 

It  is  important  to  recall  that  knowledge  generalization  does  not  allow  us  to 
infer  that  P  knows  p  for  arbitrary  formulae  p.  Rather,  if  p  is  a  theorem  (i.e., 
derivable  from  axioms  alone  with  no  assumptions)  then  Dp  tp  is  also  a  theorem. 
In  other  words,  all  principals  are  expected  to  know  all  logical  truths.  Now  for 
the  axioms. 

Axl.  All  tautologies  of  propositional  logic  are  axioms. 

As  mentioned  before,  Dp  and  Op  are  duals.  This  means  that  these  are  inter¬ 
changeable  according  to  the  definition:  dp  <p  ->dp  -up  (for  any  formula  tp). 
Given  formulae  tp  and  tp  the  knowledge  axioms  are  as  follows.  (N.B.  These  ax¬ 
ioms,  together  with  the  above  rules  and  axiom,  constitute  S5,  the  most  standard 
and  well  understood  knowledge  logic  for  distributed  computing.  The  axioms  may 
not  all  be  ultimately  necessary  for  intended  applications.  However,  we  begin  with 
S5  and  leave  the  possible  elimination  of  unnecessary  axioms  for  future  work.) 

Ax2.  Distribution  Axiom,  K:  Dp  (tp  D  tp)  D  (Dp  tp  D  Dp  tp) 

Ax3.  Truth  Axiom,  T:  Dp  p  D  p 

Ax4.  Positive  Introspection  Axiom,  4:  Dp  -tp  D  Dp  dp  p 
Ax5.  Negative  Introspection  Axiom  5:  ->dp  p  D  dp  -idp 
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Simplifying  Said  and  Received  Formulae.  These  formulae  may  be  simplified  in 
the  obvious  ways.  We  do  not  list  all  of  these,  but  simply  give  representative 
examples: 

Ax6.  .4  said  to  B  M  D  A  said  M 

Ax7.  B  received  from  .4  M  D  B  received  M 

Ax8.  A  said  to  B  (Mi, . . .  ,M, ,)  D  A  said  to  B  1/,  (where  i  G  {1, . . .  ,n}) 

Assume  K  is  an  encryption  key  and  A'-1  the  corresponding  decryption  key  (in 
the  symmetric  case  I\  =  A'-1). 

Ax9.  (.4  said  { A/}  /,■  A  A  has  A'-1)  D  .4  said  M 

AxlO.  ( B  received  { A/}  /,■  A  B  has  A'-1)  D  B  received  M 

Note  that  we  do  not  have  any  axioms  reflecting  authentication  principles,  as  in 
[2]  or  its  successors. 

Message  extensions  may  be  removed  in  said  and  received  formulae.  Let  extensions (ip) 
be  the  set  of  all  messages  that  are  extensions  of  i p.  Then,  for  any  ip  G  extensions (ip) 
we  have  the  following  axioms: 

Axil.  A  said  ip  D  A  said  p 

Axl2.  B  received  ip  D  B  received  p 

Thus,  for  example,  the  following  is  a  theorem  of  our  logic: 

A  said  “(X  for  C )  from  .4  to  B ”  D 

(.4  said  X  from  .4  A  .4  said  (X  for  C)  to  B  A  .4  said  X) 

Sending  and  Receiving.  Message  delivery  is  guaranteed.  Sending  corresponds  to 
saying  exactly,  and  likewise  for  receiving. 

Axl3.  A  did  (send(M,  .4,  B)  )  •<-»■  B  did  (recei ve(M,  B,  .4)  ) 

Axl4.  A  did  (send(M,  A,  B)  )  gg  A  said  to  B  “ M  ” 

Axl5.  B  did  (recei ve(M,  B,  A)  )  GG  B  received  from  A  “M” 

Record  Implies  Did.  This  axiom  expresses  that  an  entity  recording  and  action 
implies  that  it  performed  the  action. 

Axl6.  A  did  (record(s-r-action  )  )  D  A  did  (  s-r-action) 

Doing  and  Knowing  What  Was  Done.  These  axioms  express  the  conditions 
under  which  a  principal  knows  what  it  has  done  as  well  as  the  relation  between 
does  and  did. 

Axl7.  .4  did  (s-r-action,  remember)  A  -i A  did  (purge(s-r-action)  )  D 
□yi  A  did  (  s-r-action) 

Axl8.  A  does  (s-r-action)  D  CU  A  does  (s-r-action) 

Axl9.  .4  does  (s-r-action)  D  .4  did  (  s-r-action) 
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Group  Axioms.  These  axioms  relate  to  formulae  involving  group  principals.  We 
mention  here  only  the  basic  ones  that  will  be  useful  in  the  rest  of  the  paper.  Let 
G  =  {Pi, . . .  ,P„}.  And,  letcp(G)  be  a  formula  with  one  or  more  (free)  occur¬ 
rences  of  G  and  ip(P/G)  be  the  formula  that  results  from  replacing  every  (free) 
occcurrence  of  G  in  tp  with  P. 

Ax20.  v>(&G)  (<p(Pi/G)  A  ...  A  <p(Pn/G)) 

Ax21.  ip(®G)  (ip(Pi/G)  V  ...  V  ip(Pn/G)) 

5  Anonymity  Properties 

The  goal  of  any  system  or  protocol  we  will  be  examining  is  to  provide  some  type 
of  anonymity,  that  is  to  hide  some  fact  about  a  principal  or  set  of  principals  from 
some  adversary.  This  can  be  broken  into  two  parts.  The  piece  of  information  to 
be  protected  and  the  nature  of  that  protection.  In  this  section,  we  will  set  out  a 
characterization  of  both  pieces. 

5.1  Condenda  (i.e.,  things  to  be  hidden) 

We  might  want  to  hide  that  a  principal  is  the  originator  of  a  message  or  that 
some  pair  of  principals  are  the  originator  and  intended  recipient,  respectively, 
of  a  message,  etc.  For  profile  security,  we  may  wish  to  hide  that  two  messages 
originating  from  the  same  principal  in  fact  originated  at  that  principal  or  more 
strongly  that  they  originated  at  any  one  principal. 

5.2  Condens  (i.e.,  types  of  hiding) 

The  various  facts  just  described  that  are  to  be  hidden  from  view  may  be  hidden 
to  varying  degrees.  We  will  now  set  out  the  various  types  of  anonymity  that  can 
be  achieved  with  respect  to  each  of  these.  The  principal  from  whom  they  are  to 
be  hidden  is  always  the  intruder,  I.  The  exact  nature  of  the  intruder  will  vary 
from  context  to  context;  it  may  include  insiders  and/or  outsiders  to  the  system 
running  active  or  merely  passive  attacks.  No  matter  how  the  intruder  is  imple¬ 
mented,  we  are  always  able  represent  the  types  of  anonymity  with  respect  to  an 
abstract  intruder,  I.  This  allows  for  a  succinct  statement  of  properties;  however, 
since  the  following  are  not  stated  with  respect  to  a  particular  principal,  tech¬ 
nically  they  are  formula  schemata  rather  than  formulae.  In  practice  we  always 
specify  a  particular  principal  for  the  condens.  In  the  future,  we  might  allow  ac¬ 
tual  principal  variables,  but  we  do  not  attempt  such  here.  Similarly,  we  might 
consider  existential  quantification  over  principals,  e.g.,  to  reflect  the  hiding  of 
arbitrary  profiles,  whether  or  not  they  are  associated  with  any  given  principal 
(more  generally,  n-tuple  of  principals). 

We  first  set  out  some  assumptions.  Our  main  assumption  is  that  all  con¬ 
denda  are  of  the  form  ip(P).  In  other  words,  they  are  single  formulae  in  which  a 
single  principal  name  occurs  (freely).  Our  restriction  to  single  principals  is  just 
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for  simplicity  and  uniformity  of  presentation.  The  generalization  from  hiding 
P  said  X  to  hiding  P  said  to  Q  X  is  straightforward.  Our  restriction  to  single 
formulae  is  minimal.  For  example,  if  we  wish  to  hide  profiling  information  about 
P,  e.g.,  that  several  facts  about  P  are  associated,  this  is  generally  expressible 
in  a  single  formula,  such  as  p(P)  D  ip{P)-  We  do  not  attempt  to  represent 
the  hiding  of  arbitrary  formulae  of  the  language  that  do  not  involve  principal 
names  at  all.  It  is  unclear  what  role  these  would  play  in  anonymity  protection. 
However,  we  may  explore  this  possibility  in  the  future  should  need  arise.  Our 
next  major  assumption  is  that  condenda  are  true  of  only  one  principal.  Thus, 
for  any  formula  ip(P )  for  which  we  are  considering  the  anonymity  provided  by  a 
system  or  protocol,  we  assume 

□/  (<P(P)  A  ip(Q)  =>  P  =  Q) 

We  also  assume  that  any  condendum  is  actually  true.  That  is,  we  are  not  worried 
about  trying  to  prevent  the  conclusion  or  even  suspicion  that  P  said  X  in  the 
case  when  P  did  not  say  X . 

Unknown 

-'(Oi  <P(P)) 

In  our  current  logic  and  language,  this  is  basically  impossible.  It  is  logically 
equivalent  to  □/  -> tp(P ).  Thus,  by  axiom  Ax3,  this  cannot  be  true  if  tp(P)  is 
true  (which  we  assume).  Therefore,  everyone  is  always  a  suspect.  The  only 
possibility  for  a  principal  to  be  unknown  would  be  if  we  partitioned  the  set 
of  principal  names  so  that  some  were  meaningless  to  the  intruder.  We  do  not 
consider  such  an  extension  in  this  paper. 

(>  ?r)-anonymizable 

Onp(P)  D  (O/  y>(Pi)  A  ...  A  Oj  ip(Pn_i)) 

We  assume  here  and  in  the  following  definitions  that  distinct  names  denote 
distinct  principals.  This  says  that  if  P  is  a  suspect  wrt  tp  then  there  are 
n  —  1  other  principals  (and  possibly  more)  who  are  also  suspects.  If  there 
are  precisely  n  —  1  other  principals  such  that  Oj  <p{Pi)  when  Oj  tp(P),  we 
have  the  more  exact  property  of  being  n-anonymizable.  Similarly  for  the 
properties  below. 

Possible  Anonymity 
Oi  <p(P)  A  O/  -‘tp(P) 

The  intruder  cannot  rule  out  ip(P)  but  cannot  rule  out  ->< p{P).  Basically,  he 
has  no  knowledge  about  this  condendum. 

(<  ?r)-suspected 

ai  (tp(P)  V  ip(Pi)  V  ...  V  tp(Pn- 1)) 

The  intruder  has  narrowed  things  down  to  no  more  than  n  suspects,  one  of 
which  is  P. 

(>  n)-anonymous 

O/  <p(P)  A  Onp{Pi)  A  ...  A  Onp{Pn_i) 

The  intruder  has  narrowed  things  down  to  no  fewer  than  n  suspects,  one  of 
which  is  P. 
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(<  m)-suspected  implies  (>  n)-anonymous 

□/  (<p(P)  V  ip(Pi)  V  ...  V  (fi(Pm- 1))  D  (Oi  ip(P)  A  0Ip(P1)  A  ...  A 
O /  ip(Pn- 1)) 

Here  n  <  to.  The  idea  is  that  even  if  the  intruder  has  narrowed  things  down 
to  to  or  fewer  suspects,  he  cannot  narrow  down  who  is  ip  to  fewer  than  n. 
In  the  case  where  n  =  to,  proving  this  property  is  like  saying  “OK,  let’s 
assume  for  the  sake  of  argument  that  the  intruder  has  narrowed  it  down 
to  to  suspects.  By  this  property,  he  cannot  do  any  better  than  that.”  This 
is  stronger  than  a  simple  bound  on  intruder  knowledge:  it  is  a  bound  even 
when  we  assume  a  given  degree  of  knowledge  for  the  intruder. 

Exposed 

□/  <P(P) 

We  say  a  formula  is  exposed  if  the  intruder  knows  the  truth  of  the  formula, 
i.e. ,  he  knows  exactly  who  it  is  that  tp. 


5.3  Other  Characterizations  of  Anonymity 

Ours  is  by  no  means  the  first  attempt  to  characterize  anonymity.  Reiter  and  Ru¬ 
bin  present  a  range  of  “degrees  of  anonymity”  in  [21]  from  “absolute  privacy”  to 
“provably  exposed” .  There  are  two  important  differences  between  their  approach 
and  ours.  First,  their  definitions  are  not  given  in  a  formal  language  and  are  not 
designed  to  have  a  formal  specification  or  analysis.  Second,  their  approach  is 
probabilistic  while  ours  is  possibilistic.  We  will  return  to  this  point  presently. 

A  formal  characterization  of  anonymity  has  been  given  in  terms  of  CSP  in 
[22],  The  basic  idea  there  is  to  describe  a  system  by  means  of  a  process  P  and 
a  renaming  function  /  and  to  consider  a  system  anonymous  if  mapping  the  pro¬ 
cess  to  the  image  of  /  and  back  yields  the  same  process.  Space  precludes  a  clear 
setting  out  of  their  characterization.  Put  no  doubt  too  succinctly,  with  respect 
to  our  characterization  above,  the  parameters  allow  one  to  vary  the  principal  P 
and  the  formula  p  and  perhaps  the  intruder  doing  the  observation.  Thus,  one 
can  capture  many  different  condenda  and  different  intruders.  However,  it  ap¬ 
pears  that  there  is  only  one  condens  that  they  consider.  On  the  other  hand,  they 
have  the  advantage  of  expressing  things  entirely  in  terms  of  CSP,  which  is  a  well 
understood  formalism.  The  logic  in  this  paper  is  meant  as  an  alternative,  not 
a  replacement  for  the  CSP  approach.  As  different  people  have  different  tastes 
regarding  the  approach  with  which  they  are  comfortable,  it  is  good  to  have  al¬ 
ternatives.  One  approach  seems  to  have  a  more  succinct  and  intuitive  expression 
of  properties  while  the  other  has  an  existing  framework  and  analysis  tool.  In 
any  case,  they  are  not  necessarily  mutually  exclusive.  It  is  conceivable  that  one 
could  have  a  process  algebra  semantics  for  a  logic  such  as  in  this  paper.  We 
might  thereby  take  a  step  towards  combining  the  advantages  of  theorem  provers 
and  model  checker,  such  as  in  the  NRL  Protocol  Analyzer. 

Like  Schneider  and  Sidiropoulos,  our  characterizations  of  anonymity  are  pos¬ 
sibilistic  rather  than  probabilistic.  And,  like  them  we  would  hope  to  bring  in 
probabilistic  language  at  some  point.  However,  there  is  reason  to  think  that 
most  of  the  contributions  will  occur  on  the  possibilistic  front. 
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First,  it  is  often  difficult  to  assign  probabilities.  In  our  case  this  is  both 
because  we  are  concerned  with  the  nonprobabilistic  behaviour  of  users  at  the 
system  interface  and  because  any  assignment  of  probabilities  based  on  expected 
behavior  may  be  altered  by  an  active  intruder.  Assigning  probabilities  can  also 
be  misleading  if  not  done  correctly.  For  example,  if  99  out  of  100  remailers  only 
forward  messages  from  one  client  to  a  second  remailer,  we  might  be  tempted 
to  think  that  messages  coming  through  the  second  remailer  have  a  99  percent 
chance  of  being  from  that  client.  But,  a  moments  reflection  will  show  this  to  be 
incorrect.  Second,  even  when  probabilities  can  be  assigned,  adding  probabilistic 
expressiveness  to  a  formal  language  usually  greatly  adds  to  the  complexity  of 
specification  and  analysis. 

Both  of  these  points  are  well  illustrated  in  the  information  flow  security  liter¬ 
ature.  The  basic  concept  of  noninterference  as  introduced  in  [15]  is  possibilistic, 
and  most  of  the  analysis,  system  design,  and  development  of  related  properties 
that  has  gone  on  since  then  has  been  of  a  possibilistic  nature.  In  fact,  the  only 
substantial  systems  built  to  date  that  have  been  been  designed  to  be  noninterfer¬ 
ing  in  any  sense  have  taken  a  possibilistic  approach.  Nonetheless,  it  is  possible  to 
give  a  probabilistic  characterization  of  noninterference  [4, 17].  And, a  system  sat¬ 
isfying  these  probabilistic  properties  is  clearly  more  secure.  Nonetheless,  virtually 
no  significant  design  or  analysis  has  been  done  in  this  area,  no  doubt  due  to  the 
complexity.  (Some  recent  encouraging  advances  have  been  made  by  Volpano  and 
Smith  [27].)  This  state  of  affairs  has  been  mirrored  on  the  formal  level  as  well. 
There  have  been  possibilistic  characterizations  of  many  possibilistic  noninterfer¬ 
ence  properties  in  a  variety  of  formalisms,  including  notably  epistemic  logic  [3, 
14],  And,  there  have  even  been  some  epistemic  characterizations  of  probabilistic 
noninterference  [24],  But,  again,  most  of  the  development  as  well  as  discussion 
of  more  complex  systems  has  been  in  terms  of  possibilistic  properties.  Our  ex¬ 
pectation  is  that  the  situation  is  likely  to  be  analogous  when  formally  analyzing 
anonymity.  Probabilistic  characterizations  may  still  be  applied  to  substantial 
systems,  for  example  Crowds ,  but  it  is  unclear  if  these  will  prove  both  general 
and  amenable  to  formal  specification  or  analysis. 

6  Knowledge  Programs 

Systems  and  environments  that  we  discuss  will  be  specified  via  knowledge  pro¬ 
grams  following  the  approach  of  Fagin  et  al.  [11, 12],  All  our  knowledge  programs 
have  the  following  form: 

case  of 

if  [ knowledge  test  #1] 
do  [action  #1] 
if  [knowledge  test  #2] 
do  [action  #2] 


end  case 
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Knowledge  tests  are  conjunctions  of  formulae  where  each  conjunct  is  preceded 
by  dp  or  -idp  for  some  principal  P.  Actions  are  performed  by  the  principal 
running  the  program.  Each  action  given  in  the  consequent  of  a  clause  may  be  a 
series  of  actions  to  be  performed  by  the  principal.  The  knowledge  test  and  action 
given  in  any  one  clause  are  considered  atomic.  At  any  one  time,  at  most  one 
clause  of  the  program  will  fire.  Also,  in  a  properly  specified  knowledge  program, 
knowledge  tests  should  be  mutually  exclusive.  Thus,  at  any  one  time,  only  one 
clause  of  a  properly  specified  program  can  fire.  In  the  execution  of  a  knowledge 
program,  recent  actions,  defined  in  the  model  in  section  2,  are  ones  taken  during 
the  execution  of  the  current  clause.2 

As  noted  above  in  section  2,  the  system  environment  can  be  viewed  as  a  group 
principal  made  up  of  many  smaller  environments.  We  will  now  examine  this  point 
in  more  detail.  Our  reasons  are  at  least  twofold:  (1)  The  environment  programs 
we  will  set  out  presently  are  very  simple.  Thus,  they  serve  as  an  accessible 
introduction  to  knowledge  programs.  (2)  The  environment  programs  we  will  set 
out  are  generic  and  will  be  used  to  describe  the  environment  for  subsequently 
presented  examples. 

6.1  Generic  Environment  Programs 

The  following  programs  describe  environments  between  the  various  principals. 
Recall  that  we  assume  message  delivery  is  guaranteed;  all  uncertainty,  delay,  etc. 
is  reflected  in  the  behavior  of  the  environment.  Note  also  that  the  clauses  for 
environment  principals  are  often  simpler  than  for  system  principals.  This  is  be¬ 
cause  the  environments  we  set  out  here  are  not  doing  anything  based  on  message 
content  other  than  the  to  or  from  fields;  they  simply  forward  any  message  they 
receive  or  block  it,  possibly  recording  the  events.  More  sophisticated  environ¬ 
ments,  e.g.,  doing  selective  forwarding  based  on  message  content  or  timing,  are 
possible.  We  will  not  describe  them  here. 

We  typically  assume  a  single  environment  between  any  two  system  principals. 
This  we  call  a  pairwise 3  environment.  In  some  sense,  the  communication  graph 
for  the  system  is  fully  connected,  but  with  an  environment  principal  between 
any  two  system  principals  (much  as  in  [26],  although  our  environments  need 
not  be  hostile).  However,  in  practice  many  of  these  environment  principals  will 

2  Unlike  the  “knowledge-based  programs”  of  [11, 12],  our  knowledge  programs  do  not 
have  “standard  tests”  (those  not  involving  epistemic.  operators)  because  we  have  yet 
to  see  a  need  for  these  tests  in  any  of  the  examples  we  have  looked  at;  although,  there 
is  no  reason  they  could  not  be  added  in  if  needed.  There  are  also  more  important 
differences.  We  have  placed  all  uncertainty  in  the  principals  (including  explicitly 
represented  environment  principals).  Thus,  e.g.,  all  sent  messages  are  received,  and 
all  received  messages  were  sent  by  someone,  albeit  possibly  an  environment  principal. 

3  It  is  might  seem  natural  to  call  these  ‘atomic  environments’.  However,  a  complex 
environment  that,  e.g.,  forwards  messages  between  two  principals  based  on  the  traffic 
it  sees  between  two  others  could  not  be  reduced  to  such  atomic  principals.  Hence, 
this  would  be  a  misnomer.  Detailed  discussion  of  such  environments  is  beyond  the 
scope  of  this  paper. 
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simply  block  any  transmission  they  receive.  And,  we  will  not  bother  to  specify 
these  in  cases  where  there  is  obviously  no  direct  communication  between  the 
two  principals  or  we  do  not  care  if  there  is  (and  so  can  assume  that  there  is 
not).  Also,  we  are  often  more  interested  in  an  environment  principal  that  is 
a  distributed  group  of  the  pairwise  environment  principals  just  mentioned,  for 
example,  when  we  consider  several  distinct  clients  sending  queries  through  the 
Anonymizer.  We  now  give  some  examples  of  basic  environments,  from  which 
more  complex  environments  can  be  built. 

A  reliable  environment  between  principals  is  one  that  simply  passes  any 
messages  sent  between  them  without  any  alteration,  delay,  recording,  etc. 

Reliable_Environment  -Program  : 

if  \UE  E  received  from  P,  “M  to  Pj"  A  E  said  to  Pj  “M  to  Pj  ”] 

do  [send(M  to  Pj ’  P-i  Pj)  ] 

A  remembering  environment  between  principals  is  just  like  the  reliable  envi¬ 
ronment  except  that  it  keeps  track  of  all  messages  it  passes. 

Remembering_Environment_Program  : 

if  \UE  E  received  from  Pj  “M  to  Pj”  A  E  said  to  Pj  “M  to  Pj  ”] 

do  [record(receive(M  to  Pj ,  E,  Pj)  )  ; 
send (M  to  Pj,  E,  Pj,  remember)  ] 

A  simple  blocking  environment  is  one  that  simply  blocks  (drops)  all  messages 
that  pass  through  it.  It  thus  does  no  action,  i.e.,  A.  But,  to  explicitly  contrast 
it  with  the  next  environment,  we  give  it  the  following  redundant  description. 

Simple_Blocking_Environment_Program  : 

if  \UE  E  received  from  Pj  “M  to  Pj”  A  E  said  to  Pj  “M  to  Pj  ”] 

do  [A] 

A  remembering  blocking  environment  is  one  that  blocks  (drops)  all  messages 
that  pass  through  it,  but  records  the  message  receptions. 

Remembering_Blocking_Environment_Program  : 

if  [□£  E  received  from  P,  “ M  to  Pj”  A  -idl^  E  said  to  Pj  “M  to  Pj  ”] 
do  [  record(receive(M  to  Pj,  E,  Pj)  )  ] 

An  environment  may  forward  only  messages  sent  from  or  to  a  selected  princi¬ 
pal  (possibly  a  group  principal).  By  selecting  which  traffic  it  forwards,  the  envi¬ 
ronment  may  reveal  traffic  information  to  other  parts  of  the  intruder  elsewhere, 
e.g.,  in  a  system  employing  chained  remailers  or  other  forwarding  mechanisms. 
A  pairwise  environment  that  selects  based  on  sender  or  receiver  would  be  triv¬ 
ial.  It  would  simply  block  (or  forward)  all  messages  in  one  direction  and  block 
or  forward  all  messages  in  the  other  direction.  This  is  thus  the  first  presented 
example  of  an  environment  that  will  typically  only  be  used  to  describe  an  envi¬ 
ronment  that  is  a  group  principal.  We  set  out  an  example  of  an  environment  that 
selectively  forwards  only  messages  from  a  particular  principal,  Pq.  The  program 
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itself  is  virtually  identical  to  that  of  the  remembering  environment,  except  that 
it  only  forwards  if  the  sending  principal  is  the  particular  principal  specified. 

Sender _Selecting_Environment_Program(Po)  : 

if  [□  (E  received  from  Pj  “M  to  Pj"  A  Pj  =  Pq)  A 
-<De  E  said  to  Pj  “M  to  Pj  ”] 
do  [record(receive(M  to  Pj,  E,  Pj)  )  ; 
send(M  to  Pj,  E,  Pj, remember)  ] 

Despite  the  fact  that  some  environments  are  not  reducible  to  pairwise  en¬ 
vironments,  pairwise  environments  will  serve  as  basic  building  blocks  in  many 
cases.  We  therefore  find  it  useful  to  refer  to  them  succinctly.  Let  lEpipj  ’  denote 
the  environment  between  system  principals  Pj  and  Pj.  Thus,  Epipj  runs  Program 
means  that  messages  between  Pj  and  Pj  are  delivered  according  to  Program. 
Note  also  that  this  is  meant  to  cover  messages  in  both  directions.  Thus,  we 
assume  Epjpi  =  Epipj. 

6.2  Theorems  for  Environment  Programs 

In  the  course  of  our  analysis,  we  will  have  to  assess  what  various  principals  have 
or  have  not  done  and  what  they  know  or  don’t  know.  This  information  comes 
primarily  from  the  program  specifications,  the  assumptions  about  who  is  running 
what  program,  and  what  initial  messages  are  sent  and  facts  known.  A  main  way 
we  are  able  to  formally  derive  things  based  on  the  knowledge  programs  is  by 
means  of  program  theorems.  These  have  the  general  form: 

(P  runs  Program  A  precondition)  D  postcondition 

However,  for  the  purposes  of  the  analysis  we  do  in  this  paper,  we  can  more 
specifically  assume  that  the  only  way  for  the  postcondition  to  obtain  is  for  the 
principal  to  run  the  program  and  the  precondition  to  hold.  This  allows  us  to 
strengthen  the  form  to: 

(P  runs  Program  A  precondition)  -ft  postcondition 

We  present  examples  of  these  program  theorems  below.  They  can  be  generated 
automatically  from  the  corresponding  knowledge  programs.  This  will  ultimately 
be  useful  for  automated  analysis.  For  now  we  must  be  content  to  set  them  out 
by  hand. 

Al.  (E  runs  Reliable J3nvironment_Program  A 

E  did  (recei ve(M  to  Pj,  E,  Pj)  )  )  -f-t  P  did  (send (M  to  Pj,  E,  Pj)  ) 
A2.  (E  runs  Rern err i b or ir i g .Environ rri  cn  t  _P  rogr  am  A 
E  did  (recei ve(M  to  Pj,  E,  Pj)  ))■<-> 

record(receive(M  to  Pj,  E,  Pj)  )  ;  send(M  to  Pj,  E,  Pj,  remember) 
A3.  (E  runs  Simple_Blocking_Environment_Program  A 
E  did  (recei ve(M  to  Pj,  E,  Pj)  )  )  o  E  did  (A) 
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A4.  (E  runs  Remembering_Blocking_Environment_Program  A 
E  did  (recei ve(M  to  Pj,  E,  Pj)  )  )  O 
E  did  (record(receive(M  to  Pj ,  E ,  P /)  )  ) 

A5.  (E  runs  Sender _Selecting_Environment_Program  A 
recei ve(M  to  Pj,  E,  Pj)  did  (  A  )Pj  l\)  )  <  > 

E  did  (record(receive(M  to  Pj,  E,  Pj)  )  ; 
send(M  to  Pj,  E,  P,- ,  remember)  ) 

7  Anonymizer  Example 

Space  precludes  presenting  more  than  the  knowledge  programs  for  our  example. 
We  here  describe  the  standard  analysis  procedure  to  be  followed  if  space  permit¬ 
ted.  We  would  begin  by  setting  out  the  knowledge  programs  that  characterize 
the  system  principals  when  operating  properly  (uncompromised).  We  would  then 
proceed  to  the  analysis.  This  consists  of  (1)  setting  out  the  condenda,  (2)  giv¬ 
ing  the  contexts,  i.e.,  setting  out  the  specific  system  and  environment  principals 
and  the  programs  they  are  running,  and  specifying  the  intruder  (here  is  where 
we  would  specify  compromised  principals  if  necessary),  (3)  giving  the  program 
theorems  (relating  pre-  and  postconditions  to  the  programs  being  run),  and  (4) 
assessing  the  anonymity  protections  afforded  by  the  given  programs  under  the 
given  conditions. 

7.1  Anonymizer  Knowledge  Programs 

The  Anonymizer  [1]  is  a  Web  proxy  service  that  receives  queries  submitted  by 
a  client,  strips  off  any  identifying  information,  and  forwards  the  query  to  the 
relevant  server.  When  replies  are  received  from  the  server,  it  forwards  these  back 
to  the  client.  We  will  now  give  knowledge  programs  that  specify  an  anonymizer, 
a  client,  and  a  server.  For  our  purposes,  we  assume  multiple  clients  and  possibly 
multiple  anonymizers;  however,  it  is  only  necessary  to  assume  one  server. 

Variables  for  principal  names  should  be  fairly  intuitive.  We  assume  that  there 
is  one  environment  E^cAj  between  an  anonymizer  Aj  and  the  set  of  clients  C, 
that  use  it  and  one  environment  Ea5s  between  an  anonymizer  Aj  and  a  server 
S.  The  variable  Q  represents  a  query  and  R  represents  a  response  to  a  query. 
We  also  assume  that  communication  between  a  client  Cj  and  the  corresponding 
user  Uj  occurs  without  any  intervening  environment.  For  contexts  where  this  is 
not  true,  it  should  be  clear  how  to  add  in  the  relevant  environment  principal. 
Client_Programc.  : 
case  of 

if  [D||  Cj  received  “( Q  for  S)  from  U”  A 

-inc.  Cj  said  to  EeCAf  “(Q  f°r  &)  from  Cj  to  Aj  ”] 
do  [send((Q  for  S )  from  Cj  to  Aj,  Cj,  E^ca,  ,  remember)  ] 
if  [□<-■.  (Cj  received  from  Eqca,  “R  in  response  to  Q  from  V  A 
Cj  said  to  E^cAj  “(Q  for  S )  from  Cj  to  Aj  ”)  A 
-inc.  Cj  said  to  Uj  "R  in  response  to  Q  from  S  ”] 
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do  [send(i?  in  response  to  Q  from  S,  (7,;,  Uj )  ; 

purge(send((Q  for  5)  from  Ct  to  Aj,  Cj ,  EecA,)  )  } 

end  case 

AnonymizemProgram^.  : 

case  of 

if  [^Aj  Aj  received  from  E^cAj  “( Q  for  S )  from  Cj  to  Aj”  A 
—^Aj  Aj  said  to  Ea,s  “ Q  from  Aj  to  S  ”] 
do  [send(Q  from  Aj  to  S,  Aj,  Ea,  s,  remember)  ; 

purge(receive((<2  for  S)  from  C\  to  Aj ,  Aj ,  E^ca, )  )  ; 

record(receive((Q  for  S)  from  Cj,  to  Aj,  Aj,  Eqca,)  )  ] 
if  [D_4  (Aj  received  from  EajS  “-R  in  response  to  Q  from  S"  A 
Aj  received  from  E^ca,  “(Q  for  S)  from  Cj  to  Aj ”)  A 
-iD^.  said  to  E^cAj  “(R  in  response  to  Q  from  S)  from  Aj  to  Cj  ”] 
do  [send((i?  in  response  to  Q  from  S)  from  Aj  to  Cj,  Aj,  E  \X'i )  i 
purge(receive((<3  for  S)  from  Cj  to  Aj,  Aj,  Ea  c ,)  )  j 
purge(send(Q  from  Aj  to  S,  Aj,  EAj s)  )  ] 
end  case 

Server_Programc,.  : 
case  of 

if  [Ds  S  received  from  Ea,s  “Q  from  Aj  to  S”  A 

-□s  S  said  to  EajS  “R  in  response  to  Q  from  S  to  Aj  ”] 
do  [send(i?  in  response  to  Q  from  S  to  Aj,  S,  Ea, ,s)  ; 
record(receive(Q  from  Aj  to  S,  S,  E  \js)  )  ] 
end  case 

The  above  assumes  the  server  logs  queries  (but  not  responses). 


7.2  Anonymizer  Condenda 

As  noted  above,  we  have  no  space  to  set  out  our  analysis.  Nonetheless,  we  at 
least  state  the  condenda  that  the  Anonymizer  is  expected  to  hide.  The  following 
are  examples  of  formulae  that  should  be  hidden  from  the  intruder.  The  operating 
environment  and  the  nature  of  the  intruder  will  be  set  out  below,  in  addition 
to  demonstrations  of  the  level  of  condendum  hiding  afforded  against  specified 
intruders  in  specified  environments. 

G1  Cj  said  (Q  for  S ) 

G2  Cj  received  R  in  response  to  Q  from  S 

G3  Cj  received  R  in  response  to  Q 

G4  S  said  R  in  response  to  Q  D  Cj  said  Q 

8  Conclusion 

We  have  introduced  the  basic  notion  of  a  group  principal  and  an  associated 
model,  language,  and  logic.  We  have  demonstrated  the  utility  of  these  by  defining 
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anonymity  properties  and  specifying  an  anonymity  protocol.  Space  limitations 
preclude  presenting  the  analysis  of  that  protocol  with  respect  to  anonymity. 

Even  if  we  had  space  to  set  it  out,  the  assessment  by  hand  of  anonymity  in  the 
example  we  have  specified  is  tedious  and  complex.  In  fact  it  would  be  infeasible 
to  provide  the  quantitative  by-hand  assessments  of  anonymity  we  envision  for 
complex  systems  involving  many  principals.  However,  with  the  theory  established 
in  this  paper,  we  have  a  starting  point  for  investigating  suitable  automated 
analysis  techniques  such  as  incorporating  the  use  of  model  checkers. 

Another  direction  for  future  work  is  the  analysis  of  other  types  of  secu¬ 
rity  properties  using  our  characterization  of  group  principals.  In  particular,  we 
believe  we  can  ultimately  give  a  characterization  of  such  things  as  threshold 
cryptography  and  proactive  security. 
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